i was recently browsing some php source code, particularly ones of forum software like phpbb and esotalk
I noticed one thing, most of them used a global variable at the start of their page as some sort of security like so:
if (!defined("IN_ESOTALK")) exit; //For esotalk
if (!defined("IN_PHPBB")) exit; //FOR phpbb
What sort of security is this? I don't understand. Could you explain to me what this prevents and how?
thanks, Vidhu
it works by making sure the php script doesn't run unless the framework has started up. This way the user can't execute a script without going through the proper page.
Here's an example. We have 2 files:
index.php
<?php
define("_MY_FRAMEWORK", 1);
echo 'started';
require('script.php');
?>
and script.php
<?php
if (!defined("_MY_FRAMEWORK")) exit;
echo "my script";
?>
If you run script.php directly, nothing will happen because _MY_FRAMEWORK has not been defined. it will exit.
However, if you run index.php, which includes script.php, the script will continue because you did define _MY_FRAMEWORK first. You will get the full output: started followed by my script.
@Gumbo makes a good point: If you haven't seen define before, it defines a constant that cannot be changed. The user contributions to the PHP documentation can be helpful to understand how it works.
This also prevents variable manipulation by using register_globals.
If register_globals is enabled in php.ini, users are able to modify variables in the script by changing the variable in the URL, but this would not allow them to modify the value of constant variables that were defined using the define function
These are global constants. With these they make sure their software is running how it's intended.
© 2022 - 2024 — McMap. All rights reserved.